Bug 1131289 - VUL-0: wpa3: Dragonblood Analysing WPA3's Dragonfly Handshake (VU#871675)
VUL-0: wpa3: Dragonblood Analysing WPA3's Dragonfly Handshake (VU#871675)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 1131291 1131644 CVE-2019-9494 CVE-2019-9496 CVE-2019-9499
  Show dependency treegraph
Reported: 2019-04-02 12:13 UTC by Marcus Meissner
Modified: 2021-02-10 08:17 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

new-report.md (7.55 KB, text/plain)
2019-04-02 12:14 UTC, Marcus Meissner
constant_time.md (3.82 KB, text/markdown)
2019-04-02 12:14 UTC, Marcus Meissner

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2019-04-02 12:14:01 UTC
Created attachment 801960 [details]

new-report.md (same content as #c0)
Comment 2 Marcus Meissner 2019-04-02 12:14:31 UTC
Created attachment 801961 [details]

Comment 4 Marcus Meissner 2019-04-11 05:17:59 UTC
is public now:



Currently, all modern Wi-Fi networks use WPA2 to protect transmitted data. However, because WPA2 is more than 14 years old, the Wi-Fi Alliance recently announced the new and more secure WPA3 protocol. One of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it's near impossible to crack the password of a network. Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network. Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on.

The Dragonfly handshake, which forms the core of WPA3, is also used on certain Wi-Fi networks that require a username and password for access control. That is, Dragonfly is also used in the EAP-pwd protocol. Unfortunately, our attacks against WPA3 also work against EAP-pwd, meaning an adversary can even recover a user's password when EAP-pwd is used. Moreover, we also discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user's password. Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly.

The technical details behind our attacks against WPA3 can be found in our detailed research paper titled Dragonblood: A Security Analysis of WPA3's SAE Handshake. The details of our EAP-pwd attacks are explained on this website. 

Comment 5 Clemens Famulla-Conrad 2021-02-10 08:17:58 UTC
wpa_supplicant was updated to 2.9 which include the available patches to fix this issue.